Mandrake Linux Security Advisory : MySQL (MDKSA-2006:149)

Low Nessus Plugin ID 23896


The remote Mandrake Linux host is missing one or more security updates.


MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

The update allows the local admin to override MERGE using the '--skip-merge' option when running mysqld. This can be defined under MYSQLD_OPTIONS in /etc/sysconfig/mysqld. If '--skip-merge' is not used, the old behaviour of MERGE tables is still used.

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Packages have been patched to correct these issues.


Update the affected packages.

Plugin Details

Severity: Low

ID: 23896

File Name: mandrake_MDKSA-2006-149.nasl

Version: $Revision: 1.17 $

Type: local

Published: 2006/12/16

Modified: 2016/05/17

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 3.6

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:N

Temporal Vector: CVSS2#E:ND/RL:ND/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:MySQL, p-cpe:/a:mandriva:linux:MySQL-Max, p-cpe:/a:mandriva:linux:MySQL-NDB, p-cpe:/a:mandriva:linux:MySQL-bench, p-cpe:/a:mandriva:linux:MySQL-client, p-cpe:/a:mandriva:linux:MySQL-common, p-cpe:/a:mandriva:linux:lib64mysql14, p-cpe:/a:mandriva:linux:lib64mysql14-devel, p-cpe:/a:mandriva:linux:libmysql14, p-cpe:/a:mandriva:linux:libmysql14-devel, cpe:/o:mandriva:linux:2006

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2006/08/24

Vulnerability Publication Date: 2006/07/19

Reference Information

CVE: CVE-2006-4031, CVE-2006-4226

BID: 19279, 19559

OSVDB: 27703, 28012

MDKSA: 2006:149